What's New in Osquery 4.3

Beyond the Changelog

This article goes beyond the Changelog, and demonstrates the use of new osquery features in context.

The focus of this article is new features, so check out the changelog for the full changes.

Contents

Tables

New Table – socket_events – macOS

The socket_events table is now available on macOS in addition to the previously supported Linux platforms.

This table provides auditing of system calls related to socket-based networking.

The OpenBSM system must be configured separately from osquery in order to receive the events. The following configuration is placed in /etc/security/audit_control:

#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#8 $
#
dir:/var/audit
flags:ex,pc,ap,aa,lo,ad,nt
flags:ex,pc,ap,aa,lo,ad
minfree:5
naflags:no
policy:cnt,argv,arge
filesz:2M
expire-after:10M
superuser-set-sflags-mask:has_authenticated,has_console_access
superuser-clear-sflags-mask:has_authenticated,has_console_access
member-set-sflags-mask:
member-clear-sflags-mask:has_authenticated

After setting the configuration, restart the computer.

Now run osquery with --disable_audit=false --audit_allow_sockets=true (also --disable_events=false if using osqueryi).

Output from the table looks like:

osquery> select * from socket_events;
        action = connect
           pid = 393
          path = /Applications/Dropbox.app/Contents/MacOS/Dropbox
            fd = 8a
          auid = 501
       success = 0
        family = 2
 local_address = 0
remote_address = 162.125.35.136
    local_port = 0
   remote_port = 443
          time = 1587405089
        uptime = 218

        action = bind
           pid = 725
          path = /Applications/Docker.app/Contents/Resources/bin/com.docker.vpnkit
            fd = 10
          auid = 501
       success = 1
        family = 2
 local_address = 0.0.0.0
remote_address = 0
    local_port = 0
   remote_port = 0
          time = 1587405102
        uptime = 231

        action = bind
           pid = 725
          path = /Applications/Docker.app/Contents/Resources/bin/com.docker.vpnkit
            fd = 11
          auid = 501
       success = 1
        family = 2
 local_address = 0.0.0.0
remote_address = 0
    local_port = 0
   remote_port = 0
          time = 1587405102
        uptime = 231

New Table – screenlock – macOS

This table indicates whether the automatic macOS screenlock is enabled, and the grace period before which it activates. Only available on macOS 10.13+

osquery> SELECT * FROM screenlock;
+---------+--------------+
| enabled | grace_period |
+---------+--------------+
| 1       | 5            |
+---------+--------------+

New Table – chrome_extension_content_scripts – All Platforms

This table provides more detailed information about the execution of Javascript from Chrome extensions. By joining to the chrome_extensions table, we can observe which URLs a given extension’s scripts will run on.

osquery> SELECT * FROM chrome_extensions JOIN chrome_extension_content_scripts USING (identifier) limit 5;
                 uid = 501
                name = 1Password extension (desktop app required)
             profile = Default Profile
          identifier = aomjjhallfgjeglblehebfpbcfeobpgk
             version = 4.7.5.90
         description = Extends the 1Password app on your Mac or Windows PC, so you can fill and save passwords in your browser.
              locale = en
          update_url = https://clients2.google.com/service/update2/crx
              author = AgileBits
          persistent = 0
                path = /Users/zwass/Library/Application Support/Google/Chrome/Default/Extensions/aomjjhallfgjeglblehebfpbcfeobpgk/4.7.5.90_0/
         permissions = contextMenus, nativeMessaging, storage, tabs, webRequest, webRequestBlocking, http://*/*, https://*/*
optional_permissions =
                 uid =
             version = 4.7.5.90
              script = injected.min.js
               match = http://*/*

                 uid = 501
                name = 1Password extension (desktop app required)
             profile = Default Profile
          identifier = aomjjhallfgjeglblehebfpbcfeobpgk
             version = 4.7.5.90
         description = Extends the 1Password app on your Mac or Windows PC, so you can fill and save passwords in your browser.
              locale = en
          update_url = https://clients2.google.com/service/update2/crx
              author = AgileBits
          persistent = 0
                path = /Users/zwass/Library/Application Support/Google/Chrome/Default/Extensions/aomjjhallfgjeglblehebfpbcfeobpgk/4.7.5.90_0/
         permissions = contextMenus, nativeMessaging, storage, tabs, webRequest, webRequestBlocking, http://*/*, https://*/*
optional_permissions =
                 uid =
             version = 4.7.5.90
              script = injected.min.js
               match = https://*/*

New Table – docker_container_fs_changes – POSIX

This table provides a summary of the changes to a filesystem of a Docker container since creation.

Run a Docker container and modify some files:

docker run --rm -it alpine:latest sh
/ # touch foobar
/ # cat > /etc/passwd
tim tam
/ #

Select the changes using the ID of the running container:

osquery> SELECT * FROM docker_container_fs_changes WHERE id = '1c4ca72d3961eeb7cff53c02404f351bd4aabc3c133d46a34301dc5eaf1d498c';
         id = 1c4ca72d3961eeb7cff53c02404f351bd4aabc3c133d46a34301dc5eaf1d498c
       path = /etc
change_type = C

         id = 1c4ca72d3961eeb7cff53c02404f351bd4aabc3c133d46a34301dc5eaf1d498c
       path = /etc/passwd
change_type = C

         id = 1c4ca72d3961eeb7cff53c02404f351bd4aabc3c133d46a34301dc5eaf1d498c
       path = /foobar
change_type = A

         id = 1c4ca72d3961eeb7cff53c02404f351bd4aabc3c133d46a34301dc5eaf1d498c
       path = /root
change_type = C

         id = 1c4ca72d3961eeb7cff53c02404f351bd4aabc3c133d46a34301dc5eaf1d498c
       path = /root/.ash_history
change_type = A

How to interpret the data:

  • C - Changed
  • A - Added
  • D - Deleted

New Table – windows_security_center – Windows

This table exposes information about the configuration of security products on Windows systems.

osquery> SELECT * FROM windows_security_center;
                       firewall = Error
                     autoupdate = Good
                      antivirus = Good
                    antispyware = Good
              internet_settings = Good
windows_security_center_service = Good
           user_account_control = Good

New Table – userassist – Windows

UserAssist records the programs that have been executed on a Windows system. Try using an ORDER BY clause when querying this table to get a list of recently opened applications.

osquery> SELECT * FROM userassist ORDER BY last_execution_time DESC LIMIT 3;
               path = C:\Users\Public\Desktop\Firefox.lnk
last_execution_time = 1587170116
              count = 2
                sid = S-1-5-21-985353834-2318998755-1039042827-1001

               path = {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe
last_execution_time = 1587170030
              count = 162
                sid = S-1-5-21-985353834-2318998755-1039042827-1001

               path = {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WindowsPowerShell\v1.0\powershell.exe
last_execution_time = 1587169981
              count = 108
                sid = S-1-5-21-985353834-2318998755-1039042827-1001

New Table – hvci_status – Windows

This table provides the configuration status for Windows Device Guard HVCI protection.

osquery> select * from hvci_status;
                                 version = 1.0
                     instance_identifier = 4ff40742-2649-41b8-bdd1-e80fad1cce80
                              vbs_status = UNKNOWN
code_integrity_policy_enforcement_status = UNKNOWN
                      umci_policy_status = UNKNOWN

New Tables – lxd Series – Linux

This collection of new tables provides access to information about the LXD containerization technology running on a Linux host.

Configure osquery with the path of the LXD server socket. In our standard Ubuntu18.04 installation this was sudo osqueryi --lxd_socket=/var/snap/lxd/common/lxd/unix.socket.

Available tables:

  • lxd_certificates
  • lxd_images
  • lxd_instances
  • lxd_cluster
  • lxd_instance_config
  • lxd_networks
  • lxd_cluster_members
  • lxd_instance_devices
  • lxd_storage_pools
osquery> select * from lxd_images;
                       id = 2cfc5a5567b8d74c0986f3d8a77a2a78e58fe22ea9abd2693112031f85afa1a1
             architecture = x86_64
                       os = ubuntu
                  release = bionic
              description = ubuntu 18.04 LTS amd64 (release) (20200407)
                  aliases = 
                 filename = ubuntu-18.04-server-cloudimg-amd64-lxd.tar.xz
                     size = 187712276
              auto_update = 1
                   cached = 1
                   public = 0
               created_at = 2020-04-06T17:00:00-07:00
               expires_at = 2023-04-25T17:00:00-07:00
              uploaded_at = 2020-04-20T13:15:47.204996207-07:00
             last_used_at = 2020-04-20T13:15:47.24795917-07:00
     update_source_server = https://cloud-images.ubuntu.com/releases
   update_source_protocol = simplestreams
update_source_certificate = 
      update_source_alias = 18.04
osquery> select * from lxd_instances;
        name = first
      status = Running
    stateful = 0
   ephemeral = 0
  created_at = 2020-04-20T13:15:47.216058813-07:00
  base_image = 2cfc5a5567b8d74c0986f3d8a77a2a78e58fe22ea9abd2693112031f85afa1a1
architecture = x86_64
          os = ubuntu
 description = Ubuntu 18.04 LTS server (20200407)
         pid = 1686
   processes = 24
osquery> select * from lxd_cluster;
              server_name = 
                  enabled = 0
     member_config_entity = storage-pool
       member_config_name = default
        member_config_key = size
      member_config_value = 
member_config_description = "size" property for storage pool "default"
osquery> select * from lxd_instance_config where name = 'first';
 name = first
  key = image.architecture
value = amd64

 name = first
  key = image.description
value = ubuntu 18.04 LTS amd64 (release) (20200407)

 name = first
  key = image.label
value = release

 name = first
  key = image.os
value = ubuntu

 name = first
  key = image.release
value = bionic

 name = first
  key = image.serial
value = 20200407

 name = first
  key = image.type
value = squashfs

 name = first
  key = image.version
value = 18.04

 name = first
  key = volatile.base_image
value = 2cfc5a5567b8d74c0986f3d8a77a2a78e58fe22ea9abd2693112031f85afa1a1

 name = first
  key = volatile.eth0.host_name
value = vethaed27f98

 name = first
  key = volatile.eth0.hwaddr
value = 00:16:3e:81:b0:ef

 name = first
  key = volatile.idmap.base
value = 0

 name = first
  key = volatile.idmap.current
value = [{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]

 name = first
  key = volatile.idmap.next
value = [{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]

 name = first
  key = volatile.last_state.idmap
value = [{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]

 name = first
  key = volatile.last_state.power
value = RUNNING
osquery> select * from lxd_networks;
            name = lxdbr0
            type = bridge
         managed = 1
    ipv4_address = 10.116.236.1/24
    ipv6_address = fd42:98e6:277e:e9ee::1/64
         used_by = first
  bytes_received = 5458
      bytes_sent = 21474
packets_received = 60
    packets_sent = 128
          hwaddr = 2a:6a:bf:23:13:23
           state = up
             mtu = 1500

            name = lo
            type = loopback
         managed = 0
    ipv4_address = 
    ipv6_address = 
         used_by = 
  bytes_received = 14810
      bytes_sent = 14810
packets_received = 151
    packets_sent = 151
          hwaddr = 
           state = up
             mtu = 65536

            name = enp0s3
            type = physical
         managed = 0
    ipv4_address = 
    ipv6_address = 
         used_by = 
  bytes_received = 676991
      bytes_sent = 59411
packets_received = 848
    packets_sent = 481
          hwaddr = 08:00:27:92:41:b5
           state = up
             mtu = 1500
osquery> select * from lxd_cluster_members;
server_name = none
        url = https://0.0.0.0
   database = 0
     status = Offline
    message = no heartbeat since 16m13.555443828s
osquery> select * from lxd_instance_devices where name = 'first';
       name = first
     device = eth0
device_type = nic
        key = name
      value = eth0

       name = first
     device = eth0
device_type = nic
        key = network
      value = lxdbr0

       name = first
     device = root
device_type = disk
        key = path
      value = /

       name = first
     device = root
device_type = disk
        key = pool
      value = default
osquery> select * from lxd_storage_pools;
        name = default
      driver = zfs
      source = /var/snap/lxd/common/lxd/disks/default.img
        size = 1GB
  space_used = 367023104
 space_total = 855638016
 inodes_used = 0
inodes_total = 0

Work with the experts to craft your open-source security strategy. Contact us to arrange a consultation.